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DETAILED ACTION 

1. Claims 1-21 are pending. 

Drawings 

2. The informal drawings are not of sufficient quality to 
permit examination. Accordingly, replacement drawing sheets in 
compliance with 37 CFR 1.121(d) are required in reply to this 
Office action. The replacement sheet (s) should be labeled 
"Replacement Sheet" in the page header (as per 37 CFR 1.84(c)) 
so as not to obstruct any portion of the drawing figures. If the 
changes are not accepted by the examiner, the applicant will be 
notified and informed of any required corrective action in the 
next Office action. 

Applicant is given a TWO MONTH time period to submit new 
drawings in compliance with 37 CFR 1.81. Extensions of time may 
be obtained under the provisions of 37 CFR 1.136(a) . Failure to 
timely submit replacement drawing sheets will result in 
ABANDONMENT of the application. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action : 
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(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1-2, 10-21 are rejected under 35 U.S.C. 103(a) as 

being unpatentable over I 'Anson et al (EPO 0474932) and further 

in view of Shanklin et al (US 6487666) . 

As per claims 1, and 19-21, I'Anson discloses identifying 

at least two states associated with the network protocol in 

which a first host system communicating with a second host 

system using the network protocol may be placed; defining at 

least one valid transition between a first state of the at least 

two states and a second state of the at least two states (see p. 

4 lines 27-49) . 

I'Anson fails to disclose expressing the at least one valid 
transition in the form of a regular expression and using the 
regular expression to analyze the network protocol stream. 

However, Shanklin et al teaches the use of regular 
expressions (see column 6 lines 39-57) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Shanklin et.al's 
regular expressions to analyze the protocol of I'Anson. 
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Motivation to do so would have been to recognize and 
evaluate identifiers, special symbols, or other tokens. 

As per claim 2, the modified I'Anson and Shanklin et al 
system discloses using the regular expression to analyze the 
network protocol stream comprises compiling the regular 
expression into computer code (see column 6 lines 39-57) . 

As per claims 10-11, the modified I'Anson and Shanklin et 
al system discloses keeping track of which of the at least two 
states the first host system currently is in and changing the 
tracked state of the first host system from the first of the at 
least two states to the second of the at least two states in the 
event the analysis of the network protocol stream indicates the 
at least one valid transition has taken place (see p. 4 lines 
27-49) . 

As per claims 12 and 18, the modified I'Anson and Shanklin 
et al system discloses defining at least one invalid operation 
for the first host system in at least one of the at least two 
states; expressing the at least one invalid operation as a 
second regular expression; and using the second regular 
expression to analyze the network protocol stream (see page 4) . 

As per claims 13-14, the modified I'Anson and Shanklin et 
al system discloses the invalid operation may indicate that a 
security-related event has taken or is taking place and defining 
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a further state corresponding to the invalid operation (see p. 4 
lines 18-26 where the security related event is the intrusion of 
Shanklin et al) . 

As per claims 15-17, the modified I'Anson and Shanklin et 
al system discloses keeping track of which state, from the set 
comprising the at least two states and the further state, the 
first host system currently is in; and changing the state of the 
first host system to the further state in the event that the 
analysis of the network protocol stream indicates the invalid 
operation has taken place and in the event that the analysis of 
the network protocol stream indicates the invalid operation has 
taken place, an indication that the invalid operation has taken 
place then discontinuing analysis of the network protocol stream 
once the state of the first host system has been changed to the 
further state (see page 4) . 

5. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson and Shanklin et al system 
as applied to claim 2 above, and further in view of Wijendran 
(AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson and Shanklin et al 
system fails to disclose the use of optimal C programming 
language code. 
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However, Wijendran teaches this optical C code (see page 

1) - 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Wijendran' s optical 
C code in the modified I'Anson and Shanklin et al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1) . 

6. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson and Shanklin et al system 
as applied to claim 2 above, and further in view of Mangione - 
Smith (How many vector registers are useful?) . 

As per claim 5, the modified I'Anson and Shanklin et al 
system fails to disclose the use of nearly optimal computer 
code . 

However, Mangione- Smith teaches nearly optical code (see 
page 1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione - Smith ' s 
nearly optical code in the modified I'Anson and Shanklin et al 
system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1) . 



Application/Control Number: 09/964,272 Page 7 

Art Unit : 213 7 

7. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I 'Anson and Shanklin et al system 
as applied to claim 1 above, and further in view of Blam (US 
6467041) . 

As per claim 6, the modified I 'Anson and Shanklin et al 
system fails to disclose copying the stream to a third party to 
be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the protocol analyzer of the modified 
I' Anson and Shanklin et al system. 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Shanklin et al and 
Blam system discloses the network protocol stream comprises 
packets of data, each packet being associated with a sequence 
number indicating its position relative to other packets in the 
protocol stream, and the third system reassembles the packets 
into the order indicated by the respective sequence numbers of 
the packets received where a copy of the network protocol stream 
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is maintained in the third system until analysis has been 
completed and in the event the packets are received by the third 
system in sequence number order, a copy is maintained in the 
third system only of those packets comprising the portion of the 
network protocol currently under analysis (see I 'Anson pages 4-5 
and Blam column 6 lines 5-29) . 

Conclusion 

8. The prior art made of record and not relied upon is 
considered pertinent to applicant's disclosure. Bernhard et al 
(US 6609205) discloses detecting network intrusions using 
regular expressions, Shaffer et al (US 6122743) discloses a 
third party analyzer, and Dietz et al (US 6665725) disclose a 
network protocol analyzer. 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Andrew Caldwell can be 
reached on (571) 272-3868. The fax phone number for the 
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organization where this application or proceeding is assigned is 
703-872-9306 . 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 
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ANDREW CALDWELL 
SUPERVISORY PATENT EXAMINER 



